Case 3:19-mj-71^-MAG 


Document 1 


Filed 08/094 




Page 1 of 13 


Attachment A 



Case 3:19-mj-712Si-MAG Document 1 Filed 08/09/f^ Page 2 of 13 


AFFTOAVIT OF FBI SPECIAL AGENT ROBBIE J. ROBERTSON 

IN SUPPORT OF A CRIMINAL COMPLAC^T 

I, Robbie J. Robertson, Special Agent of the Federal Bureau of Investigation (“FBI”), 
being duly sworn, hereby declare as follows: 

AGENT BACKGROUND AND BASES FOR STATEMENTS 


1. I am a Special Agent with the FBI assigned to investigate cyber-crime, and have 
been so employed since September 2017. My training included attending FBI new agent basic 
training during which I received instruction on various aspects of federal investigations. Since 
May 2019,1 have been assigned to investigate high technology and cyber-crime and have been 
involved in investigations of alleged computer-related and intellectual property offenses, 
including computer intrusions, trafficking in counterfeit goods, wire fraud, internet extortion, and 
other criminal matters. As an FBI agent, I am authorized to investigate violations of United 
States law and am a law enforcement officer with the authority to execute warrants issued under 


Lve had the opportunity to 


the authority of the United States. Prior to my current position as a Spejcial Agent with the FBI, I 
obtained a Bachelor of Science degree in Information Technology. During my career as a 
Special Agent of the FBI, I have received training and possess actual experience relating to 
federal criminal procedures and federal statutes. I have also received specialized training and 
instruction in the field of investigation in computer-related crimes. I ha 
conduct, coordinate, and participate in numerous investigations relating to computer-related 
crimes. I have participated in the execution of numerous search warrar^ts and arrest warrants 
conducted by the FBI. 

2. The statements contained in this affidavit are based, in part, on my training, years 
of investigative experience, and my personal participation in this investigation. The statements 
contained in this affidavit are sometimes based on information provided by other FBI Special 
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Agents, other government agencies, as well as information derived from interviews of victim 
companies. 

3. Because this affidavit is submitted for the limited purpose of securing an arrest • 
warrant, I have not included each and every fact known to me that supports probable cause. This 
affidavit does not purport to set forth all of my knowledge of, or investigation into, this matter. I 
have summarized information, including information received from law enforcement agents and 
officers, documents, and records. I have set forth those facts that I believe are sufficient to 
support the issuance of the requested arrest warrant. I am not relying uijon facts not set forth 
herein to support my conclusion. 

4. lam one of the agents participating in the investigation of Shariq Hashme 
(“HASHME”) for offenses relating to the unauthorized access and damage to computers 
belonging to Company A, a San Francisco, California-based data analysis company. 

5. As part of that ongoing FBI investigation, I make this affidavit in support of an 
application by the United States of America for a complaint and arrest yarrant for HASHME. 

6. As set forth herein, there is probable cause to believe th^f HASEIME knowingly 
caused the transmission of a program, information, code, and command, and as a result of such 
conduct, intentionally caused damage without authorization, to a protected computer, and 
thereby caused loss to one or more persons during a one-year period affecting protected 


computers aggregating at least $5,000 in value, in violation of Title 18, 
Sections 1030(a)(5)(A) and 1030(c)(4)(B)(i). 

APPLICABLE STATUTES 

7. Under Title 18, United States Code, Section 1030(a)(5)( 
individual to “knowingly cause[] the transmission of a program, inform 


United States Code, 


A), it is unlawful for an 
ation, code, or command. 















Case 3:19-mj-7129i-MAG Document 1 Filed 08/09/M^ Page 4 of 13 


and as a result of such conduct, intentionally causes damage without authorization, to a protected 
computer.” A protected computer is a computer that is used in or affectjng interstate or foreign 
commerce. Sfee 18 U.S.C. § 1030(e)(2)(B). The term “damage” means impairment to the 
integrity or availability of data, a program, a system, or information. See 18 U.S.C. § 1030(e)(8). 

8. Under Title 18, United States Code Sections 1030(c)(4)(3)(i) and (c)(4)(A)(i)(I), 
the penalty for a violation of 18 U.S.C. § 1030(a)(5)(A) is a fine and imjprisonment of not more 
than ten years if the offense caused (i) loss to 1 or more persons during any 1-year period 
aggregating at least $5,000 in value; (ii) the modification or impairment, or potential 


tment, or care of 1 or 
ic health or safety; (v) 


modification or impairment, of the medical examination, diagnosis, treat 
more individuals; (iii) physical injury to any person; (iv) a threat to pub' 
damage affecting a computer used by or for an entity of the United States Government in 
furtherance of the administration of justice, national defense, or national security; or (vi) damage 
affecting 10 or more protected computers during any 1 -year period. 

FACTS SUPPORTING PROBABLE CAUSE 

Summary 

9. Beginning at least as early as on or about February 26, 2019, continuing through 
and including on or about July 11,2019, Shariq HASHME repeatedly connected to and caused 
transmissions to Company A’s internal payment database to surreptitiously alter its data and 
contents without authorization in order to divert at least approximately $40,000 in payments to 
accounts controlled by HASHME. 

10. HASHME, who was employed as an engineer at Company A, is an individual that 
resided in 2019 in San Francisco, California before on or about April 18,2019, and outside the 
United States after on or about that date. HASHME worked for Company A as an employee 


3 
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then later as a non-employee contractor during this time. 

Background of Investigation 

11. Company A is a San Francisco, California-based data analysis company. 

12. PayPal is a web-based financial services provider based in Mountain View, 
California. 

13. On May 8,2019, representatives of Company A contacted the San Francisco 
Division of the FBI to report a criminal cyber incident. According to representatives of the 
company, they discovered their internal payment database, contained iii their back-end computer 
network infrastructure, had been compromised in late April 2019. 

14. Company A advised that it paid its employees through PayPal and would at times 
issue “bonus” payments to its employees through PayPal using its internal payment database, 
which also listed employees’ personally identifiable information, including work related e-mail 
account information. Company A utilized “1 Password,” a service that streamlines access to 
multiple protected enclaves through a singular password and username. In this instance, each 
engineer was given access to a 1 Password account and all administrator-level tasks were 


executed under the same account. Furthermore, 1 Password automatica: 
and passwords in order to access Company A’s back-end infrastructure 


ly populated user names 
Access to the 


company’s internal payment database and other internal infrastmcture was restricted using 
1 Password. Company A advised that the 1 Password credentials were shared through each 
engineer’s individually-operated GitHub accoimt. 

15. Company A reported that during this cyber incident, an individual connected to its 
internal payment database and altered payments that were originally directed to legitimate 
employees to divert them to a PayPal account linked to “Bruno.Day.1938@outlook.com’' 
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(“Subject PayPal account”). Company A determined that this re-direction of payments to the 
Subject PayPal account occurred through transmissions to its internal payment database using the 
IPassword account. Based on an internal investigation conducted by Company A, the majority 
of the altered payments made to the Subject PayPal account were in the amount of $140.00 
beginning on or about March 12,2019 and ending on or about May 6,2019. Over the course of 
this cyber incident, Company A advised that a total of approximately 100 payments were altered 
in the internal payment database and diverted to the Subject PayPal account, resulting in losses 
of at least approximately $14,000. 

, 16. Company A provided the FBI with a suspicious IP address of 182.232.191.125, 
which connected to its internal payment database around the time of one of the intrusion 
incidents on April 30, 2019 at 13:39:53 UTC. IP addresses oftentimes iue associated with a 
particular geographic area or region based on them falling within certain known IP address 
ranges. The aforementioned suspicious IP address was confirmed to be associated with the 
particular geographic area of (“geo-located”) of Thailand using open source research conducted 
by the FBI. 

17. Following the initial incident. Company A advised the FBI of another similar 
cyber incident in which an individual manipulated the internal payment database and altered 
approximately 30 additional $140.00 bonus payments to divert them to the Subject PayPal 
account; these payments were processed on or about May 6,2019, resisting in losses of at least 
approximately $4,200. This similar incident took place after Company A took additional 
security measiues in response to the initial incident. For example, kno^vn IP addresses were 
“white listed” or allowed to access internal infirastructure, while unkno’vn IPs were restricted. 

18. On July 16,2019, Company A advised the FBI of yet ariother similar cyber 
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incident in which an individual maaipulated the mtemal payment database and alteied 


approximately $15,000 in bonus payments, this time to divert them to a!PayPal account linked to 
‘^dragonbaJ1844@outlook.com.''' Tbe' incident occurred on June 20,201|9, but was not discovered 
until July 12,2019* No IP addresses were available, due to new database configurations at 
Company A. ! 

Identification of HASHME 




February 26,2019 to June 13,2019, tins PayPal account received more jfhan 190 payments from 
Con^any A that totaled approximately $26,663* The subscriber infbm^tion of the PayPal 
account included the following: 

First Name: Bruno 



20* The FBI also obtained records from PayPal for the account registered to 

dragonball844@outlook*com Jxk part, PayPal records provided the sub^ber information, IP 
logs and transaction history for the accounts registered to dragoDball844@outloolLcom. From 

i 

June 28, 2019 to July 11, 2019, this PayPal account received more than 70 payments from 
Company A that totaled approximately $ 13,190* The subscriber information of the PayPal 


accounts included the following: 


First Name: 
Last Name: 
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Emails dragonball844 @outlook.com 
Address: 



Telephone:!_ 

Time Created: Jime 24,2019,6:47:25 

21. PayPal records also provided a “confirmed” cellxJar phojie number for both of the 

aforem^tioned PayPal accounts, A cell phone number is “confirmed” when a 

user confirms receipt of an automated text message from PayPal by entering an alphanumeric 
code included in the text message. By using open source and FBI internal record searches, a 
number of documents associated Shariq HASHME with mobile numbe|pill^^^^^| and the 
aforementioned addresses. 

22. In addition, PayPal records included banking infoimatioii related to the ability of 

PayPal users to transfer money fiom their PayPal account to a debit/crejiit card or to another 

finandal institution. The PayPal accounts registered to Bruno.Day.1988@outlodk.com and 

dragonball844@outlook.com listed the followmg accounts: 

Account # Statu s Name Start Date Expiration Date 

INACTIVE Bruno Day 6-Mar-I9\ 

Type Issuer Confinned Issue# Currency 

^SA CREDIT Bank of Anierica-Conswner Credit Unconfinned- USD 
and 

Account # Statu s Name Start Date Expiration Date 

INACTIVE Bruno Day 6-Mar-19\ 

Type Issuer Confirmed Issue# Cwrency | 

^SA PREPAID Central Bank of Kansas Citv Unconfinned- USD 
and ' 

Account#S^is Name Start Date Expiration Date 
ACTIVE Bnmo Day 6-Mar-I9 \ 

Type Issuer Confinned Issue# Cwrency 

^SA DEBIT Bank of America, National Association Unconfiniied - USD 
and 

Account # Statu s Name Start Date Expiration Date 

ACTIVE Victor Montoya 24-Jun-19 1 
Type Issuer Confinned Issue# Currency’ 

VISA DEBIT Bank of Anietica, National Association Unconfinned - USD 


1 
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23. Additionally, during the records searches, personal email addresses of 

for HASHhfE were revealed. The 
FBI obtained records from PayPal for an account registered hi 

part, PayPal records provided the subscriber information, IP logs and transaction history for the 
accounts registered to The subscriber information of the PayPal 

accounts included the following: 


First Name: Shariq 
Last Name: Hashme 
DOB:[ 

Email: 

Address?] 

Telephone?] 

Time Created: July 30,2011,13:25:31 
Bank Name: BankofAmerica 
Bank Accoimt: ^^^^H2236 



(Entered on 9/27/17) 


24. Based on the PayPal records for the bnmo.day.1988@outlook.com and 

accounts, IP addresses geo-located in Thailand accessed both accoimts 
dming a rime period relevant to the aforementioned cyber incidents. This approximate time 
period and location matched the previously-provided suspicious IP noteji by Company A, also 
geo-located in Thailan d, which connected to its internal payment database on April 30,2019. 

The records below reflect a portion of relevant IP address logs: 


Date/Time 

(PST/PDT) 

IF Address 

05 May 2019 
21:05:33 

182.232.145.215 

05 May 2019 
3:53:19 

182.232.145.215 

04 May 2019 
22:12:08 

182.232.145.215 

04 May 2019 
4:24:39 

182.232.161.90 

04 May 2019 
1:07:22 

182.232.161.90 

03 May 2019 

182.232.161.90 



ISP 

Location 

TH. 

AIS Mobile 

Internet 

Bangkok, 

Thailand 

TH. 

AIS Mobile 
Mtemet 

Bangkok, 

Thailand 

TH. 

AIS MobUe 
Internet 

Bangkok, 

Thailand 

TH. 

_AIS_Mobile 

hitemet 

Bangkok, 

Thailand 

TH. 

AIS Mobile 
Internet 

Bangkok, 

Thailand 

TH 

AIS Mobile 

Bangkok. 


PayPal Account 
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Date/Time 

tPST/PDT) 

IP Address 

PayPal Acconnt 


ISP 

Location 

2:58:59 




Internet 

Thailand 

03 May 2019 
2:49:51 

182.232.161.90 

bruno.day. 1988@outlook.com 

TH. 

AIS MobiIe 

Internet 

Bangkok, 

Thailand 

02 May 2019 
20:36:14 

182.232.161.90 

bruno.day. 1988@outlook.com 

in, 

AIS Mobile 

Internet 

Bangkok, 

Thailand 

02 May 2019 
17:39:59 

182.232.161.90 


TH, 

AIS Mobile 
! Internet 

Bangkok, 

Thailand 

01 May 2019 
20:54:35 

182.232.194.57 

TH 

1 

AIS Mobae 
Internet 

Bangkok, 

Thailand 

01 May 2019 
17:43:09 

182.232.194.57 

TH 

AIS MobUe 
Internet 

Bangkok, 

Ihaiiand 

01 May 2019 
5:00:09 

182.232.194.57 

TH 

_AIS_Mobile 

Internet 

Bangkok, 

Thailand 

01 May 2019 
3:12:37 

182.232.191.33 

TH 

AIS Mobae 
Internet 

Bangkok, 

Ihaiiand 


25. The FBI requested records associated with two bank accounts hsted with the 

PayPal accounts registered to Bruno.Day.1988@outlook.com and dragc nball844@outlook.coni 


12713 audl 


19824), “Bruno Day,” and “Shaiiq Hashme” from the 




issuing bank. Bank of America. In part, the records provided by Bank of America included the 
following information: 



26. The Bank of America records were linke d by accoimt ovmer information and 

direct deposits described below. The following transactions were observed in the transaction 
history portion of the Bank of America records for account 
the PayPal account registered 


^^12236, an account link ed to 
I, which mirrors PayPal withdrawals 


from the account registered to Bruno.day.1988@outlook.com; 


Date 

Amount 

Payment Received From 

Ci 

ty. State 

Time 7,2019 

$3,009.50 

PayPal *Day Bruno 

Sa 

n Jose, CA 

May 31,2019 

$3,009.50 

PayPal *Day Bruno 

Sa 

n Jose, CA 
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Date 

Amount 

Payment Received From 

ca 

y. State 

May 24,2019 

$3,009.50 

PayPal *Day Bruno 

San Jose, CA 

May 10,2019 

$3,284.00 

PayPal *Day Bruno 

San Jose, CA 

April 29,2019 

$3,146.75 

PayPal *Day Bruno 

Sab Jose, CA 

April 19,2019 

$3,146.75 

PayPal *Day Bruno 

San Jose, CA 

April 12,2019 

$3,274.15 

PayPal *Day Bruno 

San Jose, CA 

March 22,2019 

$951.14 

PayPal *Day Bruno 

San Jose, CA 

March 15,2019 

$533.79 

PayPal *Day Bruno 

San Jose, CA 

March 8,2019 

$1,044.88 

PayPal *Day Bruno 

San Jose, CA 

March 6,2019 

$23.63 

PayPal *Day Bnmo 

San Jose, CA 

March 6,2019 

$336.15 

PayPal *Day Bnmo 

Sai 

1 Jose, CA 


27. The FBI collected additional infonnation on the subject, Shariq HASHME, from 

California DMV records. The following identifiers relate to HASHME: 

DL Number: 

Name: Shariq Hashme 

DOB:_ 

Address: 


Sex - M: 



t-160 


• Brown; Height ■ 

28. According to one of HASHME’s social media profiles, he was most recently 
employed as an engineer at Company A and located in San Francisco, California. HASHME is a 
citizen of the United Kingdom and is believed to have left the United States to five overseas on 
April 18,2019, due to an expired work visa. 

29. Company A advised that at no time during the aforementioned cyber incidents 
was HASHME authorized to access or alter the data or contents of the internal payment database, 
or cause the aforementioned rewards payments to be made to himself 

30. Fiutheimore, Company A informed the FBI that an internal investigation revealed 
the destruction of payment database logs. Specifically, shortly after HASHME accessed internal 
Company A infrastmcture via his Virtual Private Network (VPN), database logs were altered to 
delete the record of some of the fraudulent payments sent to the PayPal account registered to 
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Bruno.Day.1988@outlook.com, an account controlled by HASHME. 

Discovery of HASHME Arrival 

31. On August 7,2019, the FBI received information that HASHME was expected to 
return to the United States by way of San Francisco International Airport on or about August 9, 
2019. The FBI received additional information on August 9,2019 that HASHME is expected to 
return to the United States by way of SFO the next day, on August 10,2019. 

CONCLUSION 

32. Based on the evidence uncovered and the information pro vided by Company A as 
well as records received by the FBI, it is believed that HASHME connec ted to Company A’s 
internal payment servers to alter and divert bonus payments that were ultimately deposited to a 
bank accoimt he owned and controlled, resulting in losses of at least app roximately $40,000. 
Furthermore, as advised by Company A, HASHME had no authorization, legitimate business 
requirements, or need, to access or alter payment information in Company A’s internal payment 
database. I respectfully submit that there is probable cause to believe that HASHME knowingly 
caused the transmission of a program, information, code, and command, and as a result of such 
conduct, intentionally caused damage without authorization, to a protected computer, and 
thereby caused loss to one or more persons during a one-year period affecting protected 
computers aggregating at least $5,000 in value, all in violation of Title 1! 

Sections 1030(a)(5)(A), (c)(4)(B)(i), and (c)(4)(A)(i)(I). 

REQUEST FOR SEALING 

33. Because this investigation is continuing, disclosure of the 
affidavit, and/or this application and the attachments thereto will jeopard ize the progress of the 
investigation. Disclosure of the arrest warrant at this time would seriousjly jeopardize the 


8, United States Code, 


arrest warrant, this 
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investigation; as such a disclosure would allow HASHME to change patterns of behavior, notify 
other confederates, destroy evidence, or flee or continue flight from prosecution. Accordingly, I 
request that the Court issue an order that the complaint, arrest warrant, this affidavit in support of 


application for complaint and arrest warrant, and all attachments thereto be filed under seal until 
further order of this Court. 


Sworn to before me this 


ROBBIE J. ROBERTSTOhf 
Special Agent 
Federal Bureau of Investigation 


day of August 2019 


HONORABLE ELIZABETH D. LAPORTE 
United States Magistrate Judge 
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